-
samba (2:4.8.4+dfsg-2ubuntu2.4) cosmic-security; urgency=medium
* SECURITY UPDATE: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
- debian/patches/CVE-2018-16860-1.patch: add test for S4U2Self with
unkeyed checksum in selftest/knownfail.d/mitm-s4u2self,
source4/torture/krb5/kdc-canon-heimdal.c.
- debian/patches/CVE-2018-16860-2.patch: reject PA-S4U2Self with
unkeyed checksum in selftest/knownfail.d/mitm-s4u2self,
source4/heimdal/kdc/krb5tgs.c.
- CVE-2018-16860
-- Marc Deslauriers <email address hidden> Wed, 08 May 2019 09:41:47 -0400
-
samba (2:4.8.4+dfsg-2ubuntu2.3) cosmic-security; urgency=medium
* SECURITY UPDATE: save registry file outside share as unprivileged user
- debian/patches/CVE-2019-3880.patch: remove implementations of
SaveKey/RestoreKey in source3/rpc_server/winreg/srv_winreg_nt.c.
- CVE-2019-3880
-- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 14:05:09 -0400
-
samba (2:4.8.4+dfsg-2ubuntu2.2) cosmic; urgency=medium
* Backport function to set protocol levels (LP: #1778322):
- d/p/add-smbc_setOptionProtocols.patch: add function to set protocol
levels
- d/libsmbclient.symbols: add smbc_setOptionProtocols
-- Andreas Hasenack <email address hidden> Thu, 28 Mar 2019 21:45:02 -0300
-
samba (2:4.8.4+dfsg-2ubuntu2.1) cosmic-security; urgency=medium
* SECURITY UPDATE: Unprivileged adding of CNAME record causing loop in AD
Internal DNS server
- debian/patches/CVE-2018-14629.patch: add CNAME loop prevention using
counter in python/samba/tests/dns.py, selftest/knownfail.d/dns,
source4/dns_server/dns_query.c.
- CVE-2018-14629
* SECURITY UPDATE: Double-free in Samba AD DC KDC with PKINIT
- debian/patches/CVE-2018-16841-1.patch: fix segfault on PKINIT with
mis-matching principal in source4/kdc/db-glue.c.
- debian/patches/CVE-2018-16841-2.patch: check for mismatching
principal in testprogs/blackbox/test_pkinit_heimdal.sh.
- CVE-2018-16841
* SECURITY UPDATE: NULL pointer de-reference in Samba AD DC LDAP server
- debian/patches/CVE-2018-16851.patch: check ret before manipulating
blob in source4/ldap_server/ldap_server.c.
- CVE-2018-16851
-- Marc Deslauriers <email address hidden> Fri, 16 Nov 2018 08:15:02 -0500
-
samba (2:4.8.4+dfsg-2ubuntu2) cosmic; urgency=high
[ Karl Stenerud ]
* d/p/fix-rmdir.patch: Fix to make the samba client library report
directory-not-empty errors (LP: #1795772)
-- Andreas Hasenack <email address hidden> Tue, 09 Oct 2018 14:32:16 -0300
-
samba (2:4.8.4+dfsg-2ubuntu1) cosmic; urgency=medium
* Merge with Debian unstable (LP: #1778125). Remaining changes:
- debian/VERSION.patch: Update vendor string to "Ubuntu".
- debian/smb.conf;
+ Add "(Samba, Ubuntu)" to server string.
+ Comment out the default [homes] share, and add a comment about
"valid users = %s" to show users how to restrict access to
\\server\username to only username.
- debian/samba-common.config:
+ Do not change priority to high if dhclient3 is installed.
- Add apport hook:
+ Created debian/source_samba.py.
+ debian/rules, debian/samba-common-bin.install: install hook.
- d/control, d/rules: Disable glusterfs support because it's not in main.
MIR bug is https://launchpad.net/bugs/1274247
* Drop:
- Add extra DEP8 tests to samba (LP #1696823):
+ d/t/control, d/t/cifs-share-access: access a file in a share using cifs
+ d/t/control, d/t/smbclient-anonymous-share-list: list available shares
anonymously
+ d/t/control, d/t/smbclient-authenticated-share-list: list available
shares using an authenticated connection
+ d/t/control, d/t/smbclient-share-access: create a share and download a
file from it
[Accepted by Debian in 2:4.7.4+dfsg-2]
- d/samba-common.dhcp: If systemctl is available, use it to query the
status of the smbd service before trying to reload it. Otherwise,
keep the same check as before and reload the service based on the
existence of the initscript. (LP #1579597)
[In Debian since 2:4.7.4+dfsg-2]
- debian/patches/passdb_dont_return_ok_if_pinfo_not_filled.patch:
[PATCH] s3:passdb: Do not return OK if we don't have pinfo filled.
Thanks to Andreas Schneider <email address hidden>. (LP #1761737)
[Fixed upstream]
samba (2:4.8.4+dfsg-2) unstable; urgency=high
* Fix typo in previous release: s/usefull/useful/
* Prepend 1.4.0+really to ldb version to allow samba-dsdb-modules install
(Closes: #906562, #906568)
* Urgency still set to high
samba (2:4.8.4+dfsg-1) unstable; urgency=high
[ Andreas Hasenack ]
* d/samba.logrotate: only try to reload the services if they are running
(Closes: #902149)
* Remove the deprecated "syslog" and "syslog only" options (Closes: #901138)
[ Mathieu Parent ]
* New upstream security release
- CVE-2018-1139 Weak authentication protocol allowed
- CVE-2018-1140 Denial of Service Attack on DNS and LDAP server
- CVE-2018-10858 Insufficient input validation on client directory listing
in libsmbclient
- CVE-2018-10918 Denial of Service Attack on AD DC DRSUAPI server
- CVE-2018-10919 Confidential attribute disclosure from the AD LDAP server
- Urgency set to high
- Bump build-depends ldb >= 1.3.5 (actually 2:1.4.0+really1.3.5) for
CVE-2018-1140
* smb.conf: Remove "wins support" and "wins server" comments
* smb.conf: Improve "logging" comments
* smb.conf: Remove "dns proxy = no", only useful as a WINS server
* smb.conf: Propose better idmap config
* smb.conf: Remove "passdb backend = tdbsam" as this is the default
* smb.conf: Fix "usershare max shares" default (patched to 100 instead of 0)
* Standards-Version: 4.2.0
* Set Rules-Requires-Root: binary-targets as chmod is used
* Remove override_dh_strip target as dbgsym migration is complete
samba (2:4.8.2+dfsg-2) unstable; urgency=medium
* Update panic-action script message, samba-dbg renamed to samba-dbgsym
(Closes: #900242)
* Ensure /var/lib/samba/dhcp.conf exists (Closes: #901585)
* Check smb.conf with testparm, and also with samba-tool when
server role = active directory domain controller (Closes: #900908)
samba (2:4.8.2+dfsg-1) unstable; urgency=medium
* New upstream release
- Bump build-depends ldb >= 1.3.3
* Fix lintian warnings with patches recently merged upstream:
- Add Fix-pidl-manpage-sections.patch
- Add Fix-spelling.patch
- Add Improve-vfs_linux_xfs_sgid-manpage.patch
* Wrap very long lines in d/rules
samba (2:4.8.1+dfsg-2) unstable; urgency=low
* Upload to unstable
* Really ignore nmbd start errors when there is no non-loopback interface
(Closes: #893762)
* Ignore nmbd start errors when there is no local IPv4 non-loopback interface
(Closes: #859526)
* Fix possible-unindented-list-in-extended-description in samba-vfs-modules
samba (2:4.8.1+dfsg-1) experimental; urgency=medium
* New upstream release
* Add lintian override for "smbclient: executable-is-not-world-readable
usr/lib/x86_64-linux-gnu/samba/smbspool_krb5_wrapper 0700" (See #894720)
* Improve samba-vfs-modules description (Closes: #776505)
* Check smb.conf in samba-common-bin.postinst (Closes: #816301)
* Mark libparse-pidl-perl, samba-dev, samba-dsdb-modules and samba-vfs-modules
as"Multi-Arch: same"
* Standards-Version: 4.1.4, no change
* debian/smb.conf: Fix typo in comment line: sever -> server (Closes: #763648)
* Read smb.conf until [print$] section instead of [cdrom] to preserve
locally-defined shares (Closes: #776259)
* Fix and improve dhcp integration:
- dhclient3 was renamed to dhclient long time ago...
- Remove /etc/samba/dhcp.conf on purge (Closes: #784713)
- Move dhcp.conf out of /etc to allow ro root (Closes: #695362)
- Update template for "Move dhcp.conf out of /etc to allow ro root"
* Enable --accel-aes=intelaesni on DEB_HOST_GNU_CPU=x86_64 (Closes: #896196)
- Use dh-exec to install libaesni-intel.so.0 only on amd64
samba (2:4.8.0+dfsg-2) experimental; urgency=medium
* Remove unused and outdated debian/README.debian (debian/README.Debian is
used instead)
* Mask services as appropriate in samba and winbind postinst (Closes: #863285)
- mask samba-ad-dc unless server role = active directory domain controller
(as before)
- mask smbd and nmbd when server role = active directory domain controller
- mask nmbd when disable netbios = yes (Closes: #866125)
* Set smbspool_krb5_wrapper permissions to 0700 (Closes: #894720, #372270)
* Remove Depends: samba-libs of lib{nss,pam}-winbind
* Mark winbind "Multi-Arch: allowed" and make lib{pam,nss}-winbind depends on
winbind:any to allow co-installation (Closes: #881100)
* Ignore nmbd start errors when there is no non-loopback interface
(Closes: #893762)
samba (2:4.8.0+dfsg-1) experimental; urgency=medium
[ Mathieu Parent ]
* New major upstream version
- Update d/gbp.conf and d/watch for 4.8
- Update upstream source from tag 'upstream/4.8.0+dfsg'
- Re-apply patches
- Remove patches merged upstream:
+ no_build_system.patch
+ systemd-syslog.target-is-obsolete.patch
+ Add-documentation-to-systemd-Unit-files.patch
+ fix_kill_path_in_units.patch
+ nmbd-requires-a-working-network.patch
+ CVE-2018-1050-11343-4.7.patch
+ CVE-2018-1057-v4-7.metze01.patches.txt
- Bump build-depends talloc >= 2.1.11~, tdb >= 1.3.15~, tevent >= 0.9.36~
and ldb >= 2:1.3.2~
- Drop Build-Conflicts-Arch: libaio-dev, vfs_aio_linux was dropped
- Update debian/*.install and use debian/not-installed
- Update debian/libsmbclient.symbols
- Upload to experimental
* debian/README.source
- Update instructions
- Convert to Markdown
- Add a symlink from README.source to README.source.md
* debian/rules:
- Use the new --systemd-install-services
- Use dh_missing --fail-missing
- Re-order debian/rules overrides in the order they are called
- Remove broken get-packaged-orig-source target
- Remove unused DEB_BUILD_OPT_FOO variables
- Add some comments
- Move all the custom installs from override_dh_install to
override_dh_auto_install
- Remove --sourcedir override to dh_install "since dh_install automatically
looks for files in debian/tmp in debhelper compatibility level 7 and
above"
- PIDFile= is now correctly set in *.service
[ Louis van Belle ]
* Update d/control, Relax Build-Depends to allow backport
-- Andreas Hasenack <email address hidden> Tue, 21 Aug 2018 09:57:57 -0300
-
samba (2:4.7.6+dfsg~ubuntu-0ubuntu3) cosmic; urgency=medium
* No change rebuild to link with new ldb 1.3.3
-- Andreas Hasenack <email address hidden> Tue, 03 Jul 2018 09:57:24 -0300
-
samba (2:4.7.6+dfsg~ubuntu-0ubuntu2) bionic; urgency=medium
* debian/patches/passdb_dont_return_ok_if_pinfo_not_filled.patch:
[PATCH] s3:passdb: Do not return OK if we don't have pinfo filled.
Thanks to Andreas Schneider <email address hidden>. (LP: #1761737)
-- Andreas Hasenack <email address hidden> Wed, 18 Apr 2018 11:49:55 -0300